Windows Server 2008 Active Directory Configuring - 70-640

Enabling scavenging from the properties of the zone allows for automatic removal of outdated DNS records. Scavenging is a feature in Active Directory-integrated DNS zones that allows the DNS server to automatically delete stale resource records based on a specified refresh interval and no-refresh interval. This helps to keep the DNS zone clean and up to date by removing records that are no longer valid or needed. Modifying the TTL of the SOA record, running ipconfig /flushdns, or disabling dynamic updates would not address the requirement of automatically removing outdated DNS records.

You should use the ntdsutil tool to reset the Directory Services Restore Mode (DSRM) password on a domain controller.

Setting dynamic updates to Secure Only is the correct answer because it ensures that only domain members with proper authentication can dynamically register their DNS records. This setting provides an added layer of security by preventing unauthorized devices or users from registering DNS records in the intranet.adatum.com zone.

On DC2, seize the Schema Master role. When the current Schema Master (DC1) fails, the Schema Master role needs to be transferred to another domain controller (DC2) to ensure its availability. Seizing the role means forcibly taking control of it from the failed DC1. This can be done using the Active Directory Schema snap-in on DC2.

When a computer is turned off for an extended period of time, its computer account in Active Directory may become expired or disabled. Resetting the computer account and then disjoining and rejoining the computer to the domain will refresh the computer account and allow the user to log in successfully.

To ensure that users at the branch office are able to log on to the domain using the RODC, the Password Replication Policy needs to be configured on the RODC. This policy allows the RODC to store a copy of user passwords locally, enabling authentication requests to be processed locally without the need for communication with the main office. By configuring this policy, users at the branch office will be able to log on to the domain using the RODC even if there is limited or no connectivity with the main office.

not-available-via-ai

The correct answer is to use the ADSI Edit snap-in to create the organizational units on the AD LDS application directory partition. ADSI Edit is a Microsoft Management Console (MMC) snap-in that allows administrators to manage Active Directory and AD LDS objects and attributes. It provides a graphical interface for creating and modifying objects in the directory. This is the appropriate tool to use when working with AD LDS application directory partitions. The other options, such as using dsmod OU or Active Directory Users and Computers snap-in, are not specific to AD LDS and may not provide the necessary functionality for managing the application directory partition.

The correct answer is to configure conditional forwarding for the intranet.fabrikam.com domain. This solution allows Contoso users to resolve names from the intranet.fabrikam.com domain without transferring the internal DNS zone data outside the Fabrikam network, which complies with Fabrikam's security policy. Conditional forwarding allows DNS servers to forward queries for specific domains to specific DNS servers, in this case, Contoso's DNS servers can forward queries for intranet.fabrikam.com to Fabrikam's DNS servers. This ensures that Contoso users can resolve names from the intranet.fabrikam.com domain while keeping the zone data within Fabrikam's network.

Decreasing the replication interval for the DEFAULTIPSITELINK object will reduce the time between replication cycles, thereby decreasing the replication latency between the domain controllers. This will ensure that changes made in one site are quickly replicated to the other sites, improving overall network performance and reducing the chances of data inconsistencies.

Performing an authoritative restore of the Groups OU is the correct answer because it will restore the deleted OU and its objects while maintaining their original state and attributes. This means that any changes made to the objects after the backup was taken will be overwritten. Restoring the Sales OU would not bring back the deleted Groups OU. Performing a non-authoritative restore of either the Sales OU or the Groups OU would not restore the deleted Groups OU.

Converting the primary zone into an Active Directory-integrated zone and deleting the secondary zone is the correct answer because Active Directory-integrated zones use secure dynamic updates and replication, which ensures that the replication of the contoso.com zone is encrypted. By converting the primary zone, you are ensuring that the zone data is not lost. Deleting the secondary zone is necessary because it is not needed once the primary zone is converted to an Active Directory-integrated zone.

Enabling debug logging in the DNS Manager console will allow you to record all inbound DNS queries to the server. Debug logging provides detailed information about DNS queries and responses, which can be useful for troubleshooting and analysis purposes. By enabling debug logging, you can capture and analyze the DNS traffic to identify any issues or anomalies in the DNS server's operation. This can help in diagnosing and resolving DNS-related problems effectively.

To transfer all forest-wide operations master roles to another domain controller, you should transfer the Domain Naming Master role and the Schema Master role. The Domain Naming Master role is responsible for managing the addition and removal of domains in the forest, while the Schema Master role is responsible for managing changes to the Active Directory schema. By transferring these two roles, you ensure that the new domain controller has the necessary authority to perform these critical functions within the forest.

To create multiple password policies for users in a single Active Directory domain, you need to use the ADSI Edit snap-in and create multiple Password Setting objects. This is because the functional level of the forest is Windows Server 2008 R2, which does not natively support multiple password policies. The ADSI Edit snap-in allows you to modify the Active Directory schema and create custom password policies by creating Password Setting objects. These objects can then be linked to specific user groups to enforce different password policies for different groups of users.

Enabling the Audit object access option allows tracking of access to objects such as files. Linking the GPO to the Payroll organizational unit ensures that the GPO is applied to the file servers in the Payroll OU. Configuring Auditing for the Everyone group in the Payroll folder on the file servers means that all employees, regardless of their authentication status, will have their access to the Payroll files tracked. This combination of actions allows for effective monitoring of employee access to the Payroll files on the file servers.

To ensure that changes made to Active Directory objects can be logged and include the old and new values of any attributes, you need to configure the Security settings of the Domain Controllers OU using auditpol.exe. This will allow you to enable the necessary audit settings for the domain controllers. Enabling the Audit account management policy in the Default Domain Controller Policy or the Audit directory service access setting in the Default Domain policy alone will not provide the required level of logging.

By converting the ad.contoso.com zone on DC1 to an Active Directory-integrated zone, the DNS zone data will be replicated to DC2 using Active Directory replication. This means that DC2 will have a local copy of the DNS zone data and will be able to update records and resolve DNS queries even if the WAN link fails. This ensures that the DNS service remains available in the branch office even in the event of a WAN link failure.

Raising the domain functional level of fabrikam.com to Windows Server 2008 will enable the Kerberos AES encryption option. The domain functional level determines the available features and capabilities within a domain, and by raising it to Windows Server 2008, the domain will support the AES encryption algorithm for Kerberos authentication. This will allow contoso.com and fabrikam.com to use AES encryption for secure communication between the two forests.

To ensure that AD FS tokens contain information from the Active Directory domain, you need to add and configure a new account store. An account store is used to store user accounts and their attributes, and by adding and configuring a new account store, you can specify the Active Directory domain as the source for user information. This will allow AD FS tokens to contain the necessary information from the Active Directory domain.

Archiving the private key on the server is the correct answer because key archival allows for the recovery of encrypted data in case the original key is lost or compromised. By archiving the private key on the server, the encrypted files can be accessed and decrypted if needed. This ensures the security and availability of the encrypted data. The other options mentioned in the question do not specifically address key archival and are therefore not the correct choices.

To configure Server1 to support the Online Responder, you need to configure the Authority Information Access (AIA) extension. The AIA extension provides information about where to locate the certificate revocation list (CRL) and the Online Certificate Status Protocol (OCSP) responder. This allows clients to check the revocation status of certificates issued by the CA. Importing the enterprise root CA certificate is not necessary for configuring the Online Responder. Configuring the Certificate Revocation List Distribution Point extension is also not required as it is related to the distribution of CRLs, not the configuration of the Online Responder. Adding the Server2 computer account to the CertPublishers group is unrelated to configuring the Online Responder.

To achieve the goal of deploying the application to users in the Production organizational unit while excluding users in the R&D organizational unit, two possible ways are:

1. Configure the Block Inheritance setting on the R&D organizational unit: By blocking inheritance on the R&D organizational unit, the GPO applied to the parent unit (Production) will not be inherited by the child unit (R&D), ensuring that the application deployment does not affect the R&D users.

2. Configure security filtering on the Software Deployment GPO to Deny Apply group policy for the R&D security group: By configuring security filtering, specifically denying the R&D security group from applying the group policy, the application deployment will be restricted only to users outside the R&D organizational unit.

The Active Directory Sites and Services console should be used to configure the domain controller as a Global Catalog server. This console allows administrators to manage the replication topology of Active Directory and control the placement of Global Catalog servers within different sites. By using this tool, the domain controller can be designated as a Global Catalog server for the specific branch office site, enabling it to support the new application.

The error message "SQL Server does not exist or access denied" suggests that there is an issue with the SQL Server. Restarting IIS can help resolve any temporary issues with the web server. Starting the MSSQLSVC service is necessary to ensure that the SQL Server is running and accessible. Manually deleting the Service Connection Point in AD DS and installing Message Queuing are not relevant to resolving the SQL Server error.

Implementing an Online Certificate Status Protocol (OCSP) responder by using Network Load Balancing ensures that revoked certificate information is highly available. Network Load Balancing allows for load balancing and fault tolerance across multiple servers, ensuring that the OCSP responder is always accessible and responsive. This helps to maintain the security and integrity of the certificate infrastructure within the Active Directory domain.

not-available-via-ai

To ensure that a user can modify records in the contoso.com zone but cannot modify the SOA record in the nwtraders.com zone, you should modify the permissions of the contoso.com zone in the DNS Manager console. By adjusting the permissions specifically for the contoso.com zone, you can grant the user the necessary access to make modifications within that zone while restricting their ability to modify the SOA record in the nwtraders.com zone.

The correct answer is to configure conditional forwarding on DC2 and delete the Root zone on DC2.

Configuring conditional forwarding on DC2 allows it to forward unresolved name requests to the DNS1.contoso.com server. This ensures that DC2 can resolve names that it cannot resolve itself.

Deleting the Root zone on DC2 is necessary because having a Root zone can prevent the DNS forwarding option from being available. By deleting the Root zone, the DNS forwarding option becomes available and can be configured to point to the DNS1.contoso.com server.

To record any failed attempts made by the consultants to access the confidential data, two actions should be performed. Firstly, a new GPO should be created and linked to the SecureServers organizational unit. The Audit object access Failure audit policy setting should be configured in this GPO. This will enable the auditing of failed attempts to access the confidential data. Secondly, on each shared folder on the three file servers, the TempWorkers global group should be added to the Auditing tab. The Failed Full control setting should be configured in the Auditing Entry dialog box. This will allow the auditing of failed attempts made by the consultants to access the shared folders.